Bring forward some changes from 2.0.8; Improve error messages; Implement STARTUP_ENABLED

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-02 21:48:40 +00:00
parent 502a00cc26
commit d8a733aac0
6 changed files with 85 additions and 96 deletions

View File

@ -14,23 +14,12 @@ Changes since 2.0.3
7) Add PKTTYPE option. 7) Add PKTTYPE option.
firewall
shorewall.conf
8) Enhancements to /etc/shorewall/masq 8) Enhancements to /etc/shorewall/masq
masq
firewall
8) Allow overriding ADD_IP_ALIASES=Yes 8) Allow overriding ADD_IP_ALIASES=Yes
nat
firewall
9) Fix syntax error in setup_nat() 9) Fix syntax error in setup_nat()
firewall
10) Port "shorewall status" changes from 2.0.7. 10) Port "shorewall status" changes from 2.0.7.
11) All config files are now empty. 11) All config files are now empty.
@ -39,3 +28,7 @@ Changes since 2.0.3
13) Pass rule chain and display chain separately to log_rule_limit. 13) Pass rule chain and display chain separately to log_rule_limit.
Prep work for action logging. Prep work for action logging.
14) Show the iptables/ip/tc command that failed when failure is fatal.
15) Implement STARTUP_ENABLED.

View File

@ -156,7 +156,11 @@ run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
if ! iptables $@ ; then if ! iptables $@ ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; } if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed"
stop_firewall
exit 2
fi
fi fi
} }
@ -183,7 +187,11 @@ run_iptables2() {
# #
run_ip() { run_ip() {
if ! ip $@ ; then if ! ip $@ ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; } if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed"
stop_firewall
exit 2
fi
fi fi
} }
@ -192,7 +200,11 @@ run_ip() {
# #
run_tc() { run_tc() {
if ! tc $@ ; then if ! tc $@ ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; } if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed"
stop_firewall
exit 2
fi
fi fi
} }
@ -2784,7 +2796,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
[ "$COMMAND" != check ] && \ [ "$COMMAND" != check ] && \
while havechain %${CHAIN}${actchain}; do while havechain %${CHAIN}${actchain}; do
actchain=$((${actchain-0} + 1)) actchain=$(($actchain + 1))
[ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8) [ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8)
done done
@ -2865,6 +2877,9 @@ find_logactionchain() # $1 = Action, including log level and tag if any
} }
#
# This function determines the logging for a subordinate action or a rule within a subordinate action
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{ {
local superior=$1 subordinate=$2 local superior=$1 subordinate=$2
@ -2926,12 +2941,32 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
esac esac
} }
# #
# Read /etc/shorewall/actions and /usr/share/shorewall/actions.std and for each defined <action>, pre-process # The next two functions implement the two phases of action processing.
# /etc/shorewall/action.<action> #
# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std
# and /etc/shorewall/actions are scanned (in that order) and for each action:
#
# a) The related action definition file is located and scanned.
# b) Forward and unresolved action references are trapped as errors.
# c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the
# action[:level[:tag]] of each action invoked by <action>.
# d) All actions are listed in the global variable ACTIONS.
# e) Common actions are recorded (in variables of the name <policy>_common) and are added to the global
# USEDACTIONS list and their action chain is created.
#
# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an <action>
# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name
# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
# length of the chain name does not exceed 11 characters.
#
# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created.
#
# The final step is to traverse the USEDACTIONS list populating each chain appropriately by reading the
# action definition files and creating rules. Note that a given action definition file is processed once for
# each unique [:level[:tag]] applied to an invocation of the action.
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid" ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
@ -3003,53 +3038,8 @@ process_actions1() {
done < $TMP_DIR/$inputfile done < $TMP_DIR/$inputfile
done done
} }
#
# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then
# process the associated action files.
#
process_actions2() { process_actions2() {
#
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() {
local yclients yservers ysourcezone ydestzone ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
ysourcezone=${yclients%%:*}
ydestzone=${yservers%%:*}
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
process_action $xchain $xaction1 $xaction2 $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
fi
fi
done
done
}
do_it() {
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
fi
process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
}
drop_broadcasts() { drop_broadcasts() {
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
@ -3065,9 +3055,7 @@ process_actions2() {
run_iptables -A $xchain -d $address -j DROP run_iptables -A $xchain -d $address -j DROP
done done
} }
#
# B O D Y S T A R T S H E R E
#
progress_message " Generating Transitive Closure of Used-action List..." progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes changed=Yes
@ -3179,7 +3167,7 @@ process_actions2() {
echo "Processing $fn for Chain $xchain..." echo "Processing $fn for Chain $xchain..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
expandv xtarget expandv xtarget
# #
# Generate the target:level:tag to pass to process_action() # Generate the target:level:tag to pass to process_action()
@ -3204,7 +3192,11 @@ process_actions2() {
;; ;;
esac esac
do_it expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
done < $TMP_DIR/$f done < $TMP_DIR/$f
;; ;;
esac esac
@ -5819,10 +5811,11 @@ activate_rules()
# Check for disabled startup # Check for disabled startup
# #
check_disabled_startup() { check_disabled_startup() {
if [ -f /etc/shorewall/startup_disabled ]; then if [ -z "$STARTUP_ENABLED" ]; then
echo " Shorewall Startup is disabled -- to enable startup" echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration," echo " after you have completed Shorewall configuration,"
echo " remove the file /etc/shorewall/startup_disabled" echo " change the setting of STARTUP_ENABLED to Yes in"
echo " /etc/shorewall/shorewall.conf"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
@ -6509,6 +6502,7 @@ do_initialize() {
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
# #
# Strip the files that we use often # Strip the files that we use often

View File

@ -551,7 +551,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
if insserv /etc/init.d/shorewall ; then if insserv /etc/init.d/shorewall ; then
echo echo
echo "shorewall will start automatically at boot" echo "shorewall will start automatically at boot"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else else
cant_autostart cant_autostart
fi fi
@ -559,7 +559,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
if chkconfig --add shorewall ; then if chkconfig --add shorewall ; then
echo echo
echo "shorewall will start automatically in run levels as follows:" echo "shorewall will start automatically in run levels as follows:"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
chkconfig --list shorewall chkconfig --list shorewall
else else
cant_autostart cant_autostart
@ -568,18 +568,13 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
if rc-update add shorewall default; then if rc-update add shorewall default; then
echo echo
echo "shorewall will start automatically at boot" echo "shorewall will start automatically at boot"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else else
cant_autostart cant_autostart
fi fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart cant_autostart
fi fi
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" > /etc/shorewall/startup_disabled
fi fi
fi fi

View File

@ -161,3 +161,14 @@ New Features:
$LEVEL="info" $LEVEL="info"
$TAG="test" $TAG="test"
6) The /etc/shorewall/startup_disabled file is no longer created when
Shorewall is first installed. Rather, the variable STARTUP_ENABLED
is set to 'No' in /etc/shorewall/shorewall.conf. In order to get
Shorewall to start, that variable's value must be set to
'Yes'. This change accomplishes two things:
a) It prevents Shorewall from being started prematurely by the
user's initialization scripts.
b) It causes /etc/shorewall/shorewall.conf to be modified so that
it won't be replaced by upgrades using RPM.

View File

@ -7,6 +7,14 @@
# This file should be placed in /etc/shorewall # This file should be placed in /etc/shorewall
# #
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# S T A R T U P E N A B L E D
##############################################################################
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'
STARTUP_ENABLED=No
############################################################################## ##############################################################################
# L O G G I N G # L O G G I N G
############################################################################## ##############################################################################

View File

@ -40,20 +40,6 @@ rm -rf $RPM_BUILD_ROOT
%post %post
if [ $1 -eq 1 ]; then
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" \
> /etc/shorewall/startup_disabled
if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add shorewall;
fi
fi
%preun %preun
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
@ -141,6 +127,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Aug 02 2004 Tom Eastep tom@shorewall.net
- Remove startup_disabled.
* Thu Jul 29 2004 Tom Eastep tom@shorewall.net * Thu Jul 29 2004 Tom Eastep tom@shorewall.net
- Updated to 2.1.2-1 - Updated to 2.1.2-1
* Mon Jul 12 2004 Tom Eastep tom@shorewall.net * Mon Jul 12 2004 Tom Eastep tom@shorewall.net